Joseph,
The input to the decrypt tranform is a node set. The decrypt transform
tries to decrypt all the <enc:EncryptedData> in this node set. Since all
the node in the node set belong to the same document, there is no need to
specify any node outside of this document.
When the signature is a detached one, and the <Reference> refers to some
portion of an external XML document, the input node set to the decrypt
transform will be the node set of this external XML document. So the
<Except URI="..."/> is always relative to the referenced document.
Does it make sense?
Hiroshi
--
Hiroshi Maruyama
Technical Advisor to Director, Tokyo Research Laboratory
+81-46-215-4576
maruyama@jp.ibm.com
From: Joseph Reagle <reagle@w3.org>@w3.org on 2002/02/28 06:53
Please respond to reagle@w3.org
Sent by: xml-encryption-request@w3.org
To: Takeshi Imamura/Japan/IBM@IBMJP, Hiroshi Maruyama/Japan/IBM@IBMJP
cc: xml-encryption@w3.org
Subject: Why is Except limited to local fragments?
I was just rereviewing [1] while getting it ready for CR publication and
had a substantive question: why must the Except URI's be "same document URI
references"? The schema says anyURI and this doesn't permit one to use a
detached signature...? (Maybe this has already been covered, but if so, I
forgot the reason! <smile/>)
[1] http://www.w3.org/Encryption/2001/Drafts/xmlenc-decrypt.html#transform
The REQUIRED URI attribute value of the dcrpt:Except element MUST be a
non-empty same-document URI reference [URI] (i.e., a number sign ('#')
character followed by an XPointer expression (as profiled by
[XML-Signature, Section 4.3.3.2]) and identify an enc:EncryptedData.
--
Joseph Reagle Jr. http://www.w3.org/People/Reagle/
W3C Policy Analyst mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/
W3C XML Encryption Chair http://www.w3.org/Encryption/2001/